SECURITY: Bug#7 Gif-reader bufferoverflow. Petr Pisar.

See http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7
See https://bugzilla.redhat.com/show_bug.cgi?id=727800

This patch follows a corresponding patch in CUPS:

CUPS was fixed recently (in 1.4.7) and now does code > max_code check
http://cups.org/str.php?L3867
svn diff -c 9840 http://svn.easysw.com/public/cups/

diff --git a/src/img/gifread.c b/src/img/gifread.c
index bb66705..a12a2d8 100644 (file)
--- a/src/img/gifread.c
+++ b/src/img/gifread.c
@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
   /* read colormaps */
   if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
   { if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
-                                                               != GIF_OK )
+                                                               != GIF_OK )
     { setGifError("Error reading GIF colormap");
       return rval;
     }
@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
       max_code = clear_code + 2;
       sp = stack;
       firstcode = oldcode = GetCode(fd, code_size, FALSE);
-      return firstcode;
-    } else if (code == end_code)
+      return (firstcode&255);
+    } else if (code == end_code || code > max_code)
     {
       int count;
-      UCHAR buf[260];
+      UCHAR buf[260];                  /* Block buffer */
 
       if (ZeroDataBlock)
        return -2;
@@ -504,7 +504,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
     }
     incode = code;
 
-    if (code >= max_code)
+    if (code == max_code)
     {
       *sp++ = firstcode;
       code = oldcode;
@@ -537,9 +537,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
     oldcode = incode;
 
     if (sp > stack)
-      return *--sp;
+      return ((*--sp) & 255);
   }
-  return code;
+  return (code&255);
 }